Getting your black letter law data protection specialists to join your post-it wielding innovators on their bean bags might be challenging but it is important. Perhaps try breaking the ice with some table tennis and piano-led house music (a scientifically proven method*).
Data protection compliance; a critical element of process improvement
Many organisations and regulatory bodies face a number of key challenges: to improve efficiency, ensure the expeditious progression of cases as well as operate in a data protection compliant manner. It is now much more commonplace for law firms, regulators and in-house legal teams to have some form of approach to process improvement which can be traced back to one or more of the established methodologies such as Lean and Six Sigma.
Given that most process improvement projects will involve the optimisation of technology or the introduction of new technology (including that which facilitates automated decision-making) it is important that all operations and process improvement professionals in the legal and regulatory sectors are familiar with the Data Protection Impact Assessment (DPIA) approach so that it can be incorporated into each project without derailing the potential for innovation.
Some projects will more obviously relate to the processing of personal data (for example, the implementation of a client/customer relationship management system). However, many (if not all) technology-related projects will likely involve some change to how personal data or special category data is processed.
Data protection compliance considerations have the potential to completely re-define a project’s direction and scope and so it is vitally important that they are considered and re-assessed at every stage of a project. Otherwise, there is a risk of discovering that a carefully scoped and planned solution is not compliant with the relevant legislation resulting in a significant waste of time and resources.
How to approach DPIAs within the context of process improvement
Earlier this year, the Information Commissioner’s Office (ICO) released updated guidance in relation to conducting a DPIA. Set out below is an example of how the DPIA requirements can be seamlessly woven-in to any process improvement project.
The process improvement project stage by DPIA considerations
1. Define the problem to be solved
At this stage, your approach should incorporate the DPIA screening questions. You must conduct a DPIA if there is a chance that the project will result in systematic and extensive profiling with significant effects or the processing of special category data or criminal offence data on a large scale. Do any of the ‘problems’ identified at this stage indicate a data protection compliance issue? If so, you should definitely conduct a DPIA and also consider running a separate project which is focussed solely on data protection in the relevant areas.
2. Investigate, and measure the size/impact of the problem
Data analysis: Are any of your measurements at this stage going to be set up for on-going management information reports? Does any of your measurement or analysis lead to significant decision-making? Does your measurement data need to be anonymised? Is it easily anonymised?
3. Analyse the problem and determine the root cause(s)
Process analysis: ensure that your “as-is” process-mapping exercises include reference to where personal data and special category data is processed and feed this into your risk assessment such that risks can be minimised or mitigated at the solution generation stage of the project.
4. Generate and develop solutions
A DPIA is required for any projects which involve a plan to “use innovative technology”. If solutions involve process automation (creating forms, documents, correspondence), have any new data flows been properly mapped and risk assessed? Does the automated process use data which is accurate, up-to-date and secure? Are there any unintended consequences of the re-designed process in terms of the data processing? Have you ensured that all of the processing is lawful, fair and transparent? Have you considered undertaking any consultation in relation to the proposed solution(s)? Do the solutions involve data processing which is both necessary and proportionate? Does your new process facilitate a straightforward means by which to record processing activities and decisions?
Ideally, your proposed solutions should be reviewed by your organisation’s data protection lead (or Data Protection Officer (DPO) if you have one) as well as your information security executive or equivalent before proceeding to the pilot stage.
5. Pilot and implement solutions
Any pilots should be conducted in an appropriately controlled test environment which enables any of the above issues to surface very quickly (if they were not easily foreseeable at the earliest stage, in which case, they should have been picked up by your forward-looking risk assessment).
Ensure that any solutions are signed off by your organisation’s data protection lead (or DPO) as well as your information security executive or equivalent. Consider implementing a robust risk management approach using a tool such as the Failure Mode and Effects Analysis (see our related blog Privacy by design to safety by default: A process improvement approach to data protection).
It is important to note that any processing for which a high risk cannot be minimised or mitigated should be recorded within your DPIA and sent to the ICO for consultation. This consultation can take up to 8 weeks (with the addition of a further 6 weeks for complex cases) and so this should be factored into your project management planning.
6. Embed the changes, celebrate successes and sustain the improvements
As part of your control plan, you will need to include a record of the process changes, updating your compliance documents and privacy notices accordingly.
Your risk assessment should carry through to the project’s control plan so that there are periodic reviews of the process in line with any other business, political or legal changes which might warrant a review of the solutions implemented.
An increasing and unavoidable focus upon DPIAs
Whilst the answers to DPIA questions are not always black and white, the process will identify key risks for mitigation and demonstrate a responsible approach to data processing.An increasing and unavoidable focus upon DPIAs.
In the pre-GDPR days, Privacy Impact Assessments (PIA), as they were then known, were encouraged as ‘good practice’ when an organisation was processing data that is likely to result in a high risk to individuals. The impetus to conduct a DPIA is now even more acute than it was pre-GDPR. If there is a question mark over whether or not you should conduct one, or your responses to the screening questions come back as a ‘not sure at this stage,’ then you should definitely work through the DPIA considerations until you are satisfied one way or the other.
The above DPIA considerations may seem onerous (at least until they become “business as usual”) but the alternative is much more terrifying: enforcement action; fines; damages claims by for data subjects; and the risk of reputational damage. The cost of conducting a DPIA, especially when woven into other standard operational procedures, is therefore far less costly than the alternative.
In the post-GDPR world, organisations are required to be more specific about why, how, where and when they are processing data in all circumstances and on a case-by-case basis. Everyone seems to want a ‘cheat sheet’ or some quick and ‘general’ advice but in reality, every situation is different and requires that we revisit the core data protection principles until they are hard-wired into our psyche. If we can take the above positive steps to hardwire the DPIA approach into our operational policies and procedures then we are at least one step closer to the utopia of privacy by design and by default.
*well, not really scientifically proven but feel free to make suggestions for the playlist.